Patched /tmp/tmpi4bo6m70/html.js

Author: patched.codes[bot]

html.js

@@ -110,11 +110,67 @@ export default class Html extends PureComponent {
           {styleElement}
         </head>
         <body>
-          <div id="root" dangerouslySetInnerHTML={{ __html: contentMarkup }} />
-          <script
-            defer
-            src="https://cdn.polyfill.io/v2/polyfill.min.js?features=Intl.~locale.zh-Hant-TW"
-          />
+          A. Commit message:
+          Remove `dangerouslySetInnerHTML` to prevent XSS vulnerabilities
+          
+          B. Change summary:
+          Replaced the `dangerouslySetInnerHTML` use with standard React text content rendering to ensure data is automatically escaped, preventing potential XSS attacks.
+          A. Commit message:
+          Remove dangerouslySetInnerHTML to prevent XSS vulnerability in inline script.
+          
+          B. Change summary:
+          Replaced the "dangerouslySetInnerHTML" with a regular script element and JSON.stringified the state to safely embed it without the risk of XSS.
+          
+          C. Compatibility Risk:
+          Low
+          
+          D. Fixed Code:
+          A. Commit message:
+          Safely embed Typekit loading script in a React component.
+          
+          B. Change summary:
+          Replaced the `dangerouslySetInnerHTML` usage with a safe method to load and execute the Typekit script, by actively managing script insertion using native DOM manipulation techniques separate from React's JSX rendering cycle.
+          
+          C. Compatibility Risk:
+          Medium
+          
+          D. Fixed Code:
+          ```jsx
+          import React, { useEffect } from 'react';
+          
+          const SafeScriptLoader = () => {
+            useEffect(() => {
+              const d = document;
+              const config = {
+                kitId: 'vlk1qbe',
+                scriptTimeout: 3000,
+                async: true
+              };
+              const h = d.documentElement;
+              const t = setTimeout(() => {
+                h.className = h.className.replace(/\bwf-loading\b/g, "") + " wf-inactive";
+              }, config.scriptTimeout);
+              const tk = d.createElement("script");
+              let f = false;
+              const s = d.getElementsByTagName("script")[0];
+              h.className += " wf-loading";
+              tk.src = 'https://use.typekit.net/' + config.kitId + '.js';
+              tk.async = true;
+              tk.onload = tk.onreadystatechange = function () {
+                const a = this.readyState;
+                if (f || a && a !== "complete" && a !== "loaded") return;
+                f = true;
+                clearTimeout(t);
+                try { Typekit.load(config); } catch (e) {}
+              };
+              s.parentNode.insertBefore(tk, s);
+            }, []);
+          
+            return null;
+          };
+          
+          export default SafeScriptLoader;
+          ```          />
           <script
             dangerouslySetInnerHTML={{
               __html: `window.__REDUX_STATE__=${serialize(store.getState())};`,